Thread: pgpool ssl handshake failure
Hi,
I am using pgpool-II version 3.4.3 (tataraboshi).
Where my database is Postgresql 8.4.
I am trying to configure ssl mode from client and between pgpool and database it is non-ssl.
I configured as document and now I am getting this in my log:
2015-10-13 22:17:58: pid 1857: LOG: new connection received
2015-10-13 22:17:58: pid 1857: DETAIL: connecting host=10.0.0.5 port=65326
2015-10-13 22:17:58: pid 1857: LOG: pool_ssl: "SSL_read": "ssl handshake failure"
2015-10-13 22:17:58: pid 1857: ERROR: unable to read data from frontend
2015-10-13 22:17:58: pid 1857: DETAIL: socket read failed with an error "Success"
Please let me know what wrong I am doing.
Thanks & Regards.
On 10/15/2015 06:59 AM, AI Rumman wrote: > Hi, > > I am using pgpool-II version 3.4.3 (tataraboshi). > Where my database is Postgresql 8.4. Probably already know, but 8.4 is approximately 1.25 years beyond EOL: http://www.postgresql.org/support/versioning/ > > I am trying to configure ssl mode from client and between pgpool and > database it is non-ssl. What is non-ssl, the database or pgpool? > I configured as document and now I am getting this in my log: > > /2015-10-13 22:17:58: pid 1857: LOG: new connection received > //2015-10-13 22:17:58: pid 1857: DETAIL: connecting host=10.0.0.5 > port=65326 > //2015-10-13 22:17:58: pid 1857: LOG: pool_ssl: "SSL_read": "ssl > handshake failure" > //2015-10-13 22:17:58: pid 1857: ERROR: unable to read data from > frontend > //2015-10-13 22:17:58: pid 1857: DETAIL: socket read failed with an > error "Success"/ > > Please let me know what wrong I am doing. Not quite sure but given the below from the 9.5 Release Notes: " Remove server configuration parameter ssl_renegotiation_limit, which was deprecated in earlier releases (Andres Freund) While SSL renegotiation is a good idea in theory, it has caused enough bugs to be considered a net negative in practice, and it is due to be removed from future versions of the relevant standards. We have therefore removed support for it from PostgreSQL." I would check to see what ssl_renegotiation_limit is set to: http://www.postgresql.org/docs/8.4/static/runtime-config-connection.html and if it is not set to 0, then try that. > > Thanks & Regards. > -- Adrian Klaver adrian.klaver@aklaver.com
I configured Postgresql 9.4 and still getting the same error.
Thanks.
On Thu, Oct 15, 2015 at 7:16 AM, Adrian Klaver <adrian.klaver@aklaver.com> wrote:
On 10/15/2015 06:59 AM, AI Rumman wrote:Hi,
I am using pgpool-II version 3.4.3 (tataraboshi).
Where my database is Postgresql 8.4.
Probably already know, but 8.4 is approximately 1.25 years beyond EOL:
http://www.postgresql.org/support/versioning/
I am trying to configure ssl mode from client and between pgpool and
database it is non-ssl.
What is non-ssl, the database or pgpool?I configured as document and now I am getting this in my log:
/2015-10-13 22:17:58: pid 1857: LOG: new connection received
//2015-10-13 22:17:58: pid 1857: DETAIL: connecting host=10.0.0.5
port=65326
//2015-10-13 22:17:58: pid 1857: LOG: pool_ssl: "SSL_read": "ssl
handshake failure"
//2015-10-13 22:17:58: pid 1857: ERROR: unable to read data from
frontend
//2015-10-13 22:17:58: pid 1857: DETAIL: socket read failed with an
error "Success"/
Please let me know what wrong I am doing.
Not quite sure but given the below from the 9.5 Release Notes:
"
Remove server configuration parameter ssl_renegotiation_limit, which was deprecated in earlier releases (Andres Freund)
While SSL renegotiation is a good idea in theory, it has caused enough bugs to be considered a net negative in practice, and it is due to be removed from future versions of the relevant standards. We have therefore removed support for it from PostgreSQL."
I would check to see what ssl_renegotiation_limit is set to:
http://www.postgresql.org/docs/8.4/static/runtime-config-connection.html
and if it is not set to 0, then try that.
Thanks & Regards.
--
Adrian Klaver
adrian.klaver@aklaver.com
On 10/15/2015 09:36 AM, AI Rumman wrote: > I configured Postgresql 9.4 and still getting the same error. Configured what? Or more to the point what is ssl_renegotiation_limit set to? > > Thanks. > > On Thu, Oct 15, 2015 at 7:16 AM, Adrian Klaver > <adrian.klaver@aklaver.com <mailto:adrian.klaver@aklaver.com>> wrote: > > On 10/15/2015 06:59 AM, AI Rumman wrote: > > Hi, > > I am using pgpool-II version 3.4.3 (tataraboshi). > Where my database is Postgresql 8.4. > > > Probably already know, but 8.4 is approximately 1.25 years beyond EOL: > > http://www.postgresql.org/support/versioning/ > > > I am trying to configure ssl mode from client and between pgpool and > database it is non-ssl. > > > What is non-ssl, the database or pgpool? > > I configured as document and now I am getting this in my log: > > /2015-10-13 22:17:58: pid 1857: LOG: new connection received > //2015-10-13 22:17:58: pid 1857: DETAIL: connecting > host=10.0.0.5 > port=65326 > //2015-10-13 22:17:58: pid 1857: LOG: pool_ssl: > "SSL_read": "ssl > handshake failure" > //2015-10-13 22:17:58: pid 1857: ERROR: unable to read > data from > frontend > //2015-10-13 22:17:58: pid 1857: DETAIL: socket read > failed with an > error "Success"/ > > Please let me know what wrong I am doing. > > > Not quite sure but given the below from the 9.5 Release Notes: > > " > Remove server configuration parameter ssl_renegotiation_limit, which > was deprecated in earlier releases (Andres Freund) > > While SSL renegotiation is a good idea in theory, it has caused > enough bugs to be considered a net negative in practice, and it is > due to be removed from future versions of the relevant standards. We > have therefore removed support for it from PostgreSQL." > > I would check to see what ssl_renegotiation_limit is set to: > > http://www.postgresql.org/docs/8.4/static/runtime-config-connection.html > > and if it is not set to 0, then try that. > > > > Thanks & Regards. > > > > -- > Adrian Klaver > adrian.klaver@aklaver.com <mailto:adrian.klaver@aklaver.com> > > -- Adrian Klaver adrian.klaver@aklaver.com
> Hi, > > I am using pgpool-II version 3.4.3 (tataraboshi). > Where my database is Postgresql 8.4. > > I am trying to configure ssl mode from client and between pgpool and > database it is non-ssl. > I configured as document and now I am getting this in my log: > >> >> *2015-10-13 22:17:58: pid 1857: LOG: new connection received* >> *2015-10-13 22:17:58: pid 1857: DETAIL: connecting host=10.0.0.5 >> port=65326* >> *2015-10-13 22:17:58: pid 1857: LOG: pool_ssl: "SSL_read": "ssl handshake >> failure"* >> *2015-10-13 22:17:58: pid 1857: ERROR: unable to read data from frontend**2015-10-13 >> 22:17:58: pid 1857: DETAIL: socket read failed with an error "Success"* > > Please let me know what wrong I am doing. Works for me using psql coming with PostgreSQL 9.4.5 and pgpool-II 3.4.3. (This is Ubuntu 14.04. PostgreSQL and pgpool-II are compiled from the source code). $ psql -p 11000 -h localhost test psql (9.4.5) SSL connection (protocol: TLSv1, cipher: AES256-SHA, bits: 256, compression: off) Type "help" for help. I don't think your old PostgreSQL 8.4 server is related to your problem because you are trying to enable SSL between client and pgpool, not pgpool and PostgreSQL server. However psql coming with PostgreSQL 8.4 might be related to the problem. Why don't you try newer version of psql (more precisely, newer libpq). I assume your SSL setting is perfect. If you are not sure, please take a look at FAQ: http://pgpool.net/mediawiki/index.php/FAQ#How_can_I_set_up_SSL_for_pgpool-II.3F Best regards, -- Tatsuo Ishii SRA OSS, Inc. Japan English: http://www.sraoss.co.jp/index_en.php Japanese:http://www.sraoss.co.jp
AI Rumman wrote: > I am using pgpool-II version 3.4.3 (tataraboshi). > Where my database is Postgresql 8.4. > > I am trying to configure ssl mode from client and between pgpool and database it is non-ssl. > I configured as document and now I am getting this in my log: > > 2015-10-13 22:17:58: pid 1857: LOG: new connection received > 2015-10-13 22:17:58: pid 1857: DETAIL: connecting host=10.0.0.5 port=65326 > 2015-10-13 22:17:58: pid 1857: LOG: pool_ssl: "SSL_read": "ssl handshake failure" > 2015-10-13 22:17:58: pid 1857: ERROR: unable to read data from frontend > 2015-10-13 22:17:58: pid 1857: DETAIL: socket read failed with an error "Success" > > Please let me know what wrong I am doing. Does the problem occur immediately when you try to connect or only after some time? If the latter, it may well be a renegotiation issue. If the former, I can't guess. WHat are the OpenSSL versions involved on both ends? Yours, Laurenz Albe